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METHOD AND APPARATUS FOR SHARING A 
SECURITY CONTEXT BETWEEN DIFFERENT 
SESSIONS ON A DATABASE SERVER 



Field of the Invention 

The present invention relates to providing security on database servers. 
More specifically, the present invention relates to a method and an apparatus for 
sharing a security context for a client between different sessions on a database 
25 server, wherein the security context is used enforce access rights on the database 
server. 

Related Art 



Many computer systems are presently built around a multi-tier architecture 



30 in which client machines in a client tier communicate with application servers in 
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an application tier. These application servers in turn communicate with database 
servers in a database tier. This type of multi-tier architecture can scale to provide 
large amounts of computing power for applications that must process large 
volumes of traffic, such as heavily used web sites or enterprise computing 
5 systems. 

Li multi-tier architectures, security is typically enforced in the application 
tier. Users operating on client machines typically authenticate themselves to an 
application on an application server, which is responsible for maintaining client 
connections. This application typically uses a single identity to log into a database 
1 0 server in the database tier. Hence, all database requests originating from all of the 
client connections are channeled through the same application identity into the 
database server. Consequently, the database server must rely on the application to 
enforce security for client connections. 



1 5 preferable to enforce security at the database server. However, there are a number 
of problems in doing so. 

A given user may try to access a database through different connections 
with the database. For example, in a connection pooling arrangement, an 
application channels requests generated by a large number of users through a 

20 smaller number of connections with the database server. Hence, a given database 
connection handles requests for many users, and requests from a given user can be 
channeled through any one of the connections with the database server, 

hi another example, a given user may access the database through both a 
first application and a second application. In this case, the second application has 

25 no idea what type of access rights the first application has granted to the user. It is 
possible for the application developers for the first application and the second 
application to implement some type of ad hoc communication and 



Instead of blindly relying on the application to enforce security, it is 
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synchronization mechanism between the first application and the second 
application in order to share security information for users. However, doing this 
requires a great deal of additional programming, and the developers must be very 
careful about how security information is communicated between applications. 

hi order to overcome the above-listed problems, what is needed is a 
method and an apparatus for efficiently sharuig client-specific security 
information between different sessions on a database server. 

SUMMARY 

One embodiment of the present invention provides a system for sharing a 
security context between different sessions on a database server. The system 
operates by receiving a request at the database server through a database session 
between the database server and an appKcation on a database client. The system 
looks up an identifier for an application client that was previously associated with 
the database session. The system uses this identifier to look up the security 
context containing attributes related to the application client within a storage area 
associated with the database server. Next, the system performs a database 
operation to satisfy the request and in doing so enforces access rights associated 
with the security context. 

In one embodiment of the present invention, tiie request includes a 
database query directed to a database on the database server. 

In one embodiment of the present invention, performing the database 
operation involves modifying the database query to enforce access rights 
associated with the security context. 

In one embodiment of the present invention, the identifier for the 
application client identifies a user of the application that is sending the request to 
the database server. 
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In one embodiment of the present invention, the database client is an 
application server that is sending the request to the database server, and the 
identifier for the application client identifies an application session between the 
application on the application server and the client of the application. In a 
5 variation on this embodiment, the system additionally receives a request from the 
application to change the application session associated with the database session. 
In response to the request, the system changes the application session associated 
with the database session. In a variation on this embodiment, the system 
facilitates connection pooling by periodically changing the application session 

1 0 associated with the database session in order to channel requests associated with 
multiple application sessions through the database session. 

In one embodiment of the present invention, prior to receiving the request, 
the system receives the security context for the application client from the 
database client. The system inserts this security context into the storage area 

15 associated with the database server, so that the security context can be indexed by 
the identifier for the application client. 

In one embodiment of the present invention, the system allows the 
application client to use the same security context through a second application. 
The system does this by: receiving a second request at the database server through 

20 the second database session with the second application; looking up the identifier 
for the application client, the identifier having been previously associated with the 
second database session; and using the identifier to look up the security context 
for the application client within the storage area associated with the database 
server. 

25 
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BRIEF DESCRIPTION OF THE FIGURES 

FIG. 1 illustrates a multi-tier architecture in accordance with an 
embodiment of the present invention. 

FIG. 2 is a flow chart illustrating the process of using a security context to 
5 enforce access rights for a user in accordance with an embodiment of the present 
invention. 

FIG. 3 is a flow chart illustrating the process of using a security context to 
enforce security in a connection pooling arrangement in accordance with an 
embodiment of the present invention. 
1 0 FIG. 4 is a flow chart illustrating the process of using a security context for 

an application operated by a single user in accordance with an embodiment of the 
present invention. 



DETAILED DESCRIPTION 

1 5 The following description is presented to enable any person skilled in the 

art to make and use the invention, and is provided in the context of a particular 
application and its requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the art, and the general 
principles defined herein may be applied to other embodiments and applications 

20 without departing from the spirit and scope of the present invention. Thus, the 
present invention is not intended to be limited to the embodiments shown, but is 
to be accorded the widest scope consistent with the principles and features 
disclosed herein. 

The data structures and code described in this detailed description are 
25 typically stored on a computer readable storage medium, which may be any device 
or medium that can store code and/or data for use by a computer system. This 
includes, but is not limited to, magnetic and optical storage devices such as disk 
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drives, magnetic tape, CDs (compact discs) and DVDs (digital video discs), and 
computer instruction signals embodied in a transmission medium (with or without 
a carrier wave upon which the signals are modulated). For example, the 
transmission medium may include a communications network, such as the 
5 hitemet. 

Multi-Tier Architecture 

FIG. 1 illustrates a multi-tier architecture in accordance with an 

embodiment of the present invention. This multi-tier architecture includes clients 
10 104-107 coupled to application servers 112-113, which are in turn coupled to 

database server 120. 

Note that clients 104-107, application servers 112-113 and database server 

120 can generally be based on any type of computer system, including, but not 

limited to, a computer system based on a microprocessor, a mainframe computer, 
15 a digital signal processor, a personal organizer, a device controller, and a 

computational engine within an appliance. 

Also note that computer systems 104-107, 112-113 and 120 are coupled 

together by a computer network (not shown). This network can include any type 

of wire or wireless communication channel capable of coupling together 
20 computing nodes. This includes, but is not limited to, a local area network, a wide 

area network, or a combination of networks. In one embodiment of the present 

invention, the network includes the Internet. 

More specifically, clients 104-107 can include any node on the network 

including computational capability and including a mechanism for communicating 
25 across the network. Client 104 is operated by user 102 who accesses application 

1 14 on application server 112 and analysis tool 1 15 on application server 113 

through client 104. 
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Application servers 112-113 can include any nodes on the computer 
network including a mechanism for servicing requests from clients 104-107 for 
computational and/or data storage resources. Application server 112 hosts 
application 114, which communicates with clients 104-107. Application server 
5 113 hosts analysis tool 115, which conmiunicates with client 1 04, 

Application 1 14 can generally include any type of application that can run 
on an application server. In one embodiment of the present invention, application 
1 14 implements a web site that communicates with web browsers located within 
clients 104-107. 

10 Application 114 communicates with clients 104-107 through application 

sessions 108-1 1 1, respectively. Note that the terms "session" and "connection" 
are used interchangeably throughout this specification to refer to active 
communication links between computer systems. Note that application server 112 
maintains state information for each of application sessions 108-1 1 1 . Similarly, 

15 analysis tool 115 communicates with client 104 through application session 103, 
and application server 113 maintains state information for application session 103. 

Database server 120 can include any node on a computer network 
including a mechanism for servicing requests from a client to perform database 
operations. Database server 120 contains query processor 126 and global 

20 application pool 122. Query processor 126 performs data processing operations 
for queries submitted by application servers 1 12-1 13 to database server 120. In 
performing these queries, query processor 126 uses security context information 
from global application pool 122 in order to enforce access rights for users/clients 
of application servers 1 12-1 13. 

25 Database server 120 communicates with storage device 136, which 

contains tables 134 for storing database data. Storage device 136 can include any 
type of non- volatile storage device that can be coupled to a computer system. 
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This includes, but is not limited to, magnetic, optical, and magneto-optical storage 
devices, as well as storage devices based on flash memory and/or battery-backed 
up memory. 

Database server 120 communicates with application 114 on application 
5 server 1 1 2 through database sessions 1 30 and 1 3 1 . Note that application 1 1 4 
performs connection pooling, which causes requests from clients 104-107 to be 
channeled through database sessions 130-131. Note that connection pooling 
systems generally channel requests from a large number of clients into a much 
smaller number of connections with a database server. Database server 120 also 
1 0 communicates with analysis tool 1 1 5 on application server 1 1 3 through database 
session 132. 

Process of Initializing Security Context 

FIG. 2 is a flow chart illustrating the process of adding a security context 
15 to a database server 1 20 in accordance with an embodiment of the present 

invention. First, user 102 logs onto application 114 through client 104 (step 202). 
This typically involves some type of authentication, such as asking user 102 for a 
password. Next, appUcation 114 queries user 102 (and potentially other sources) 
for security attributes that make up a security context for user 102 (step 204). 
20 These attributes can mclude, but are not limited to, items such as a department 
that user 102 belongs to, the responsibilities of user 102 and specific access 
privileges of user 102. This querying process may involve validating the 
information provided by user 102 against data fi-om other sources. 

Next, application 1 14 sends the attributes related to user 102 that make up 
25 the security context to database server 120 (step 206). In one embodiment of the 
present invention, this is accompUshed by first assigning a session ED to user 102, 
such as 12345, and then using the fimction call 
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SET_CONTEXTCHR', 'RESP', '13', 'APPSMGR', '12345'); 



to record a context for user 102 in global application pool 122 on database server 
120. This fiinction call specifies that for session ID 12345 there is an application 
context 'RESP' with a value '13' in the 'HR' namespace. Furthermore, this 
context can only be read by database user 'APPSMGR'. 'HR' is a global context 
namespace previously created using the function call: 

CREATE CONTEXT hr USING hr.init ACCESSED GLOBALLY; 

The above-described context can be used for connection pooling purposes 
as is described in more detail belovs^ with reference to FIG. 3. 

A context can also be created to enable multiple database sessions to share 
the same context using the function call: 

SET_CONTEXT('HR', 'RESP', '13', 'SCOTT', NULL); 

This allows the user "SCOTT" to use the same security context when logging into 
through database session 130 from application 1 14, or through database session 
1 32 from analysis tool 115. 

Upon receiving a new security context, database server 120 checks the 
context type (step 208). If the context type is global, database server 120 adds the 
new context to global application pool 122 (step 210). Note that contexts can be 
stored within global apphcation pool 122 using any type of indexing structure that 
allows contexts to be retrieved based upon a user name and/or a session ID. 
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Process of Using a Security Context in a Connection Pooling Arrangement 

FIG. 3 is a flow chart illustrating the process of using a security context to 
enforce security in a connection pooling arrangement in accordance with an 
embodiment of the present invention. A connection pooling mechanism within 
5 application 1 14 first selects a database session (step 302). Next, the connection 
pooling mechanism associates a database session with a cHent (step 304). For 
example, the connection pooling mechanism can assign user 102 on client 104 to 
database session 130. This can be accomplished using the function call: 

1 0 SET_IDENTIFIER(' 1 2345 '); 

This function call specifies that database session 130 belongs to 
apphcation session ID '12345'. 

Next, the application 114 sends a query to database server 120 on behalf of 
1 5 user 1 02 (step 3 06). This query is sent to database server 1 20 through database 
session 130 (step 306). 

Database server receives the query (step 308), and retrieves the security 
context for the session. This is accomplished by using the function call: 

20 SYS_CONTEXT('HR', 'RESP'); 

This function call looks up identifier '12345', which is currently associated with 
database session 130 (step 310), and uses identifier ' 12345' to lookup the security 
context ('HR', 'RESP', '13', 'APPSMGR', '12345') from global application pool 
25 1 22 (step 312). This function call returns the value '13'. 

In one embodiment of the present invention, this lookup involves looking 
up (database user, application session ID) pairs in the following way. The system 
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first looks up CAPPSMGR', ' 12345') (which in this case returns a context). If 
this does not return a context, the system looks up ('APPSMGR', NULL) for the 
same user, but another session ID. If this does not return a context, the system 
looks up (NULL, '12345') for the same session ID, but another user. If this does 
5 not return a context, the system looks up (NULL, NULL) for all users and all 
session IDs. If this does not return a context, the system indicates that a context 
was not found. 

The value '13' returned by the lookup is used to rewrite the query, if 
necessary, to adhere to the security context (step 314). For example, suppose a 
1 0 user issues the select statement, 

SELECT^ FROM payroll; 

This select statement can be rewritten as follows to restrict the user to only 
1 5 view payroll entries from the user' s own department: 

SELECT * FROM payroll WHERE dept - users_dept; 

Note that the above-described security enforcement process can be used to 
20 facilitate selectively switching a large number of application sessions 108- 11 1 
between a smaller number of database sessions 130-131 for connection pooling 
purposes. 

Also note that a function call "CLEAR JDENTIFIER();" can be used to 
reset all application session identifiers associated with database session 130 when 
25 exiting database session 130. 
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Process of Using a Security Context for a Single User Annlicatinn 

FIG. 4 is a flow chart illustrating the process of using a security context to 
enforce access rights for a user 102 in accordance with an embodiment of the 
present invention. User 102 first logs on to an application, such as analysis tool 
5 11 5 on application server 1 1 3 (step 402). Next, analysis tool 1 1 5 establishes a 
database session 132 with database server 120 by forwarding a usemame and 
password to database server 120 (step 404). The system also associates database 
session 132 with the usemame, 'SCOTT', for user 102 (step 406). This user name 
'SCOTT' is specified when the user logs into the system. 
10 Next, analysis tool 1 1 5 submits a query to database server 120 (step 408), 

and the query is received at database server 120 (step 410). In order to process the 
query, database server 120 looks up the security context for the query (step 412). 
by using the function call 

15 SYS_CONTEXT('HR', 'RESP'); 

This function call looks up identifier 'SCOTT' currently associated with database 
session 132, and uses the identifier 'SCOTT' to lookup the security context ('HR', 
'RESP', '13', 'SCOTT', NULL) from global appUcation pool 122. This function 
20 call returns the value '13'. 

This value ' 13' is used to rewrite the query, if necessary, to adhere to the 
security context (step 414). 

Note that the above-described process can allow a user, such as SCOTT, to 
make use of the same security context through either application 1 14 and database 
25 session 130, or through analysis tool 115 and database session 132. 

The foregoing descriptions of embodiments of the invention have been 
presented for purposes of illustration and description only. They are not intended 
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to be exhaustive or to limit the present invention to the forms disclosed. 
Accordingly, many modifications and variations will be apparent to practitioners 
skilled in the art. Additionally, the above disclosure is not intended to limit the 
present invention. The scope of the present invention is defined by the appended 
claims. 
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What Is Claimed Is: 

1 LA method for sharing a security context between different sessions 

2 on a database server, comprising: 

3 receiving a request at the database server through a database session 

4 between the database server and an application on a database client; 

5 looking up an identifier for an application client that identifies a client of 

6 the application, the identifier having been previously associated with the database 

7 session; 

8 using the identifier to look up the security context for the application client 

9 within a storage area associated with the database server; 

10 wherein the security context includes attributes related to the application 

1 1 client; and 

12 performing a database operation to satisfy the request; 

1 3 wherein performing the database operation involves enforcing access 

1 4 rights associated with the security context. 

1 2. The method of claim 1 , wherein the request includes a database 

2 query directed to a database on the database server. 

1 3. The method of claim 2, wherein performing the database operation 

2 involves modifying the database query to enforce access rights associated with the 

3 security context. 

1 4. The method of claim 1 , wherein the identifier for the application 

2 client identifies a user of the application that is sending the request to the database 

3 server. 

14 
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1 5. The method of claim 1 , 

2 wherein the database cUent is an application server that is sending the 

3 request to the database server; and 

4 wherein the identifier for the application client identifies an application 

5 session between the application on the application server and the client of the 

6 application. 

1 6. The method of claim 5, further comprising: 

2 receiving a request from the application to change the application session 

3 associated with the database session; and 

4 changing the application session associated with the database session. 

1 7. The method of claim 5, further comprising facilitating cormection 



2 pooling by periodically changing the application session associated with the 

3 database session in order to channel requests associated with multiple application 

4 sessions through the database session. 



1 8. The method of claim 1 , wherein prior to receiving the request the 

2 method further comprises: 

3 receiving the security context for the application client from the database 

4 client; and 

5 inserting the security context into the storage area associated with the 

6 database server so that the security context can be indexed by the identifier for the 

7 application client. 
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1 9. The method of claim 1 , flirther comprising allowing the application 

2 client to use the same security context through a second application and a second 

3 database session by: 

4 receiving a second request at the database server through the second 

5 database session with the second application; 

6 looking up the identifier for the application client, the identifier having 

7 been previously associated with the second database session; and 

8 using the identifier to look up the security context for the application client 

9 within the storage area associated with the database server, 

1 10. A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for sharing 

3 a security context between different sessions on a database server, the method 

4 comprising: 

5 receiving a request at the database server through a database session 

6 between the database server and an application on a database client; 

7 looking up an identifier for an application client that identifies a client of 

8 the application, the identifier having been previously associated with the database 

9 session; 

1 0 using the identifier to look up the security context for the application client 

1 1 within a storage area associated with the database server; 

12 wherein the security context includes attributes related to the application 

13 client; and 

1 4 performing a database operation to satisfy the request; 

15 wherein performing the database operation involves enforcing access 

1 6 rights associated with the security context. 
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1 11. The computer-readable storage medium of claim 1 0, wherein the 

2 request includes a database query directed to a database on the database server. 

1 12. The computer-readable storage medium of claim 1 1 , wherein 

2 performing the database operation involves modifying the database query to 

3 enforce access rights associated with the security context. 

1 1 3 . The computer-readable storage medium of claim 1 0, wherein the 

2 identifier for the application client identifies a user of the application that is 

3 sending the request to the database server. 

1 14. The computer-readable storage medium of claim 1 0, 

2 wherein the database client is an application server that is sending the 

3 request to the database server; and 

4 wherein the identifier for the application client identifies an application 

5 session between the application on the application server and the client of the 

6 application, 

1 1 5. The computer-readable storage medium of claim 14, wherein the 

2 method further comprises: 

3 receiving a request from the application to change the application session 

4 associated with the database session; and 

5 changing the application session associated with the database session. 

1 1 6. The computer-readable storage medium of claim 1 4, wherein the 

2 method further comprises facilitating connection pooling by periodically changing 

3 the application session associated with the database session in order to channel 
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1 requests associated with multiple application sessions through the database 

2 session. 



1 17. The computer-readable storage medium of claim 1 0, wherein prior 

2 to receiving the request, the method further comprises: 

3 receiving the security context for the application client from the database 

4 client; and 

5 inserting the security context into the storage area associated with the 

6 database server so that the security context can be indexed by the identifier for the 

7 application client. 



1 18. The computer-readable storage medium of claim 1 0, wherein the 

2 method allows the application client to use the same security context through a 

3 second application and a second database session by: 

4 receiving a second request at the database server through the second 

5 database session with the second application; 

6 looking up the identifier for the application client, the identifier having 

7 been previously associated with the second database session; and 

8 using the identifier to look up the security context for the application client 

9 within the storage area associated with the database server. 



1 1 9. An apparatus that facilitates sharing a security context between 

2 different sessions on a database server, comprising: 

3 a receiving mechanism that is configured to receive a request at the 

4 database server through a database session between the database server and an 

5 application on a database client; 
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6 a lookup mechanism that is configured to look up an identifier for an 

7 apphcation client that identifies a client of the application, the identifier having 

8 been previously associated with the database session; 

9 wherein the lookup mechanism is configured to use the identifier to look 

1 0 up the security context for the application client within a storage area associated 

1 1 with the database server; 

1 2 wherem the security context includes attributes related to the application 

13 client; and 

1 4 a database engine that is configured to perform a database operation to 

1 5 satisfy the request; 

1 6 wherein performing the database operation involves enforcing access 

1 7 rights associated with the security context. 

1 20. The apparatus of claim 1 9, wherein the request includes a database 

2 query directed to a database on the database server. 

1 21 . The apparatus of claim 19, wherein the database engine is 

2 configured to perform the database operation by modifymg the database query to 

3 enforce access rights associated with the security context. 

1 22. The apparatus of claim 1 9, wherein the identifier for the 

2 application client identifies a user of the application that is sending the request to 

3 the database server. 

1 23. The apparatus of claim 19, 

2 wherein the database client is an application server that is sending the 

3 request to the database server; and 
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4 wherein the identifier for the application client identifies an application 

5 session between the application on the application server and the client of the 

6 application. 

1 24. The apparatus of claim 23, wherein the receiving mechanism is 

2 additionally configured to receive a request from the application to change the 

3 application session associated with the database session; and 

4 further comprising a changing mechanism that is configured to change the 

5 application session associated with the database session in response to the request. 

1 25. The apparatus of claim 24, wherein the changing mechanism is 

2 further configured to facilitate connection pooling by periodically changing the 

3 application session associated with the database session in order to channel 

4 requests associated with multiple application sessions through the database 

5 session. 

1 26. The apparatus of claim 1 9, wherein the receiving mechanism is 

2 further configured to receive the security context for the application client from 

3 the database client; and 

4 further comprising a security context initialization mechanism that is 

5 configured to insert the security context into the storage area associated with the 

6 database server so that the security context can be indexed by the identifier for the 

7 application client. 

1 27. The apparatus of claim 19, 
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1 wherein the receiving mechanism is further configured to receive a second 

2 request at the database server through a second database session between the 

3 database server and a second application; and 

4 wherein the lookup mechanism is further configured to look up the 

5 identifier for the application client, the identifier having been previously 

6 associated with the second database session; and 

7 wherein the lookup mechanism is further configured to use the identifier to 

8 look up the security context for the application client within the storage area 

9 associated with the database server. 
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METHOD AND APPARATUS FOR SHARING A 
SECURITY CONTEXT BETWEEN DIFFERENT 
SESSIONS ON A DATABASE SERVER 

ABSTRACT 

One embodiment of the present invention provides a system for sharing a 
security context between different sessions on a database server. The system 
operates by receiving a request at the database server through a database session 
between the database server and an application on a database cHent. The system 
looks up an identifier for an application client that was previously associated with 
the database session. The system uses this identifier to look up the security 
context containing attributes related to the application client within a storage area 
associated with the database server. Next, the system performs a database 
operation to satisfy the request and in doing so enforces access rights associated 
with the security context. In one embodiment of the present invention, the request 
includes a database query directed to a database on the database server. In one 
embodiment of the present invention, performing the database operation involves 
modifying the database query to enforce access rights associated with the security 
context. In one embodiment of the present invention, the identifier for the 
application client identifies a user of the application that is sending the request to 
the database server. In one embodiment of the present invention, the database 
client is an application server that is sending the request to the database server, 
and the identifier for the application client identifies an application session 
between the application on the application server and the client of the application. 
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